-
Notifications
You must be signed in to change notification settings - Fork 1.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Bad things happen when a DaemonSet with hostNetwork:true is deployed #366
Comments
Is this caused buy the init container rewriting the iptables rules for the entire host when hostNetwork: true? I believe See istio/istio.io#655. /cc @pcalcado |
Also, are we really intending to inject into deamonsets by default? We have code that appears to do so, but I don't know that we actually intend to do that. I don't think the UI is expecting injections into non-pod objects, at least. For example, the UI doesn't discern the type of object and might even group a pod and a deamonset with the same name together or do other bad things. I think we should restrict injection to pods exclusively and file a follow-up issue about spec'ing what, if anything, to do about deamonsets. |
Wow, @jpweber, nice find!
This isn't how I understand daemonsets -- daemonsets are like replicacontrollers or deployments, essentially, in that they are a parent resource that creates pods. So I think daemonsets are very much analogous to what we refer to as "deployments" in the UI at the moment. There's no reason that I'm aware of that we wouldn't want to support injecting daemonsets. However, it seems we absolutely must avoid adding proxy-init into any resource that has |
@olix0r should we try to get a fix in for 0.3? " |
@jpweber We'll fix this for 0.3, scheduled for next week. |
Refactor `conduit inject` code to make it unit-testable. Refactor the conduit inject code to make it easier to add unit tests. This work was done by @deebo91 in #365. This is the same PR without the conduit install changes, so that it can land ahead of #365. In particular, this will be used for testing the fix for high-priority bug #366. Signed-off-by: Dennis Adjei-Baah <dennis@buoyant.io> Signed-off-by: Brian Smith <brian@briansmith.org>
The init container injected by conduit inject rewrites the iptables configuration for its network namespace. This causes havoc when the network namespace isn't restricted to the pod, i.e. when hostNetwork=true. Skip pods with hostNetwork=true to avoid this problem. Fixes #366. Signed-off-by: Brian Smith <brian@briansmith.org>
When deploying a DaemonSet with hostNetwork set to true an assortment of network related issues happened. kube-apiserver was not reachable. Hosts could not be SSHed in to, conduit gui could not connect to conduit components etc.
I'm raising this issue not because I want to deploy a DaemonSet with conduit injected in to and use hostNetwork. But I don't think it should effectively take down a cluster either. There has to be a way to protect from this. To replicate the issue deploy the manifest below.
This occurred in the following environment.
k8s 1.9.3
ubuntu 16.04
The text was updated successfully, but these errors were encountered: